Description
Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows Resource Leak Exposure.

This issue affects Avantra: before 25.3.0.
Published: 2026-05-22
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows the Avantra application to write sensitive data, including encrypted secrets, directly into its log files. Because the logs are not sanitized, an attacker who can read those files may gain access to confidential information. Classified as CWE-532, the weakness is a resource exposure of sensitive data, leading primarily to a loss of confidentiality that could enable credential theft or further system compromise.

Affected Systems

Avantra versions prior to 25.3.0 running on Linux or Windows are affected. This includes all installations of syslink software AG Avantra that have not been upgraded to the 25.3.0 release or later.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. Though the EPSS score is not available, the ability for an attacker to read log files—whether through local access or by exploiting another vulnerability—means the risk remains significant. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploitation is known at this time. The likely attack vector involves obtaining file read permissions on the Avantra log directories, after which sensitive data can be extracted without requiring privilege escalation.

Generated by OpenCVE AI on May 22, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Avantra 25.3.0 or newer patch to remove the insecure logging behavior.
  • Restrict file system permissions on Avantra log directories so that only privileged users can read logs, and configure log rotation to limit retention time.
  • Perform a manual audit of existing log files for sensitive data, purge any discovered secrets, and consider implementing log sanitization filters or redaction if available.

Generated by OpenCVE AI on May 22, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Syslink Software Ag
Syslink Software Ag avantra
Vendors & Products Syslink Software Ag
Syslink Software Ag avantra

Fri, 22 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows Resource Leak Exposure. This issue affects Avantra: before 25.3.0.
Title Log Files contain encrypted secrets
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L'}

Subscriptions

Syslink Software Ag Avantra
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-05-22T15:04:52.672Z

Reserved: 2026-05-15T11:49:58.220Z

Link: CVE-2026-8671

cve-icon Vulnrichment

Updated: 2026-05-22T15:04:49.252Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:45:16Z

Weaknesses